Proxy based network access

ABSTRACT

Techniques for proxy based network access are discussed herein. In some examples, the techniques can be implemented in a network proxy device for Citizens Broadband Radio Service (CBRS). A base station or a domain proxy device may manage or otherwise use CBRS resources by exchanging signaling messages with a Spectrum Access System (SAS). The base station or domain proxy device may transmit signaling messages in a first private network to a network device bridging the first private network and a second private network with limited access to a public network. The network device send proxy message(s) in response to the signaling messages to the SAS and can establish an encrypted session layer or application layer tunnel between the base station and/or domain proxy device. The proxy based network access preserves secure networks while still allowing limited messaging with other public or private networks.

BACKGROUND

Traditionally, service providers have obtained licenses to conduct wireless communications in a particular range of frequencies, and accordingly, have programmed base stations in a wireless network to use a fixed set of frequency resources. However, a number of user devices has grown over time, greatly increasing an amount of wireless traffic to be handled by the wireless networks.

The Citizens Broadband Radio Service (CBRS) enables shared wireless broadband use of the 3550-3700 megahertz (MHz) band (3.5 gigahertz (GHz) band). Historically, a portion of the CBRS band has been used by the United States Navy, satellite service providers, and utilities. However, the CBRS band has recently been availed for new commercial mobile uses.

CBRS is governed by a three-tiered spectrum authorization framework to accommodate a variety of commercial uses on a shared basis with incumbent users of the 3.5 GHz band. The three-tiered spectrum authorization framework provides Incumbent Access users priority access over Priority Access users, and Priority Access users priority access over General Authorized Access users. Incumbent Access users include authorized federal and grandfathered Fixed Satellite Service users. The Federal Communications Commission has implemented rules protecting such users from harmful interference from Priority Access and General Authorized Access users. That is, Incumbent Access users have priority access to the 3.5 GHz band. Priority Access users are granted access to the 3.5 GHz band via a Priority Access License assigned using competitive bidding within the 3550-3650 MHz portion of the 3.5 GHz band. General Authorized Access users are granted access via a licensed-by-rule, which permits open, flexible access to any portion of the 3550-3700 MHz band, so long as the portion of the 3550-3700 MHz band is not assigned to a higher tier (e.g., Incumbent Access or Priority Access). In some situations, access to the CBRS can be controlled, at least in part, by a Spectrum Access System (SAS), which may utilize rules to protect Incumbent Access uses and Priority Access users.

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.

FIG. 1 illustrates an example environment including network devices performing proxy based network access to facilitate the use of the Citizens Broadband Radio Service (CBRS) spectrum, as described herein.

FIG. 2 illustrates a user equipment (UE) communicating with a base station and paths of signaling data and user data in the example environment, as described herein.

FIG. 3 is a diagram illustrating example signaling for using the proxy based network access techniques for CBRS spectrum management, as described herein.

FIG. 4 illustrates an example computing device to implement the network communications, as described herein.

FIG. 5 illustrates an example process for secure network communications for CBRS spectrum management, as described herein.

DETAILED DESCRIPTION

Techniques for proxy based network access are discussed herein. In some examples, the techniques can be implemented in a network device for use in connection with a Citizens Broadband Radio Service (CBRS). For example, a base station may exchange signaling messages with a Spectrum Access System (SAS), which can allocate spectrum to a base station for use in the CBRS band. In order to secure base stations from attack or malicious network traffic, a base station can be connected to a private network, which may be completely isolated from other private and public networks. However, the SAS may be located on a public network such as the internet.

Thus, techniques may include a base station (or a domain proxy device, discussed below) transmitting a message or first communication to a network device (also referred to as a network proxy device) coupled to the private network. The network proxy device can receive the message or the first communication from the base station and can initiate a new message or communication from a second network that is separate from the private network associated with the base station. In some cases, the first message sent from the base station may be addressed to a first address associated with the network proxy device and/or SAS, while in some cases, the new message generated by the network proxy device can be addressed to a second address associated with the SAS. Additional network address translation may be performed by a firewall device so that the message sent by the network proxy device can be ultimately received by the SAS. In response to the SAS receiving the message, the network proxy device may initiate an encrypted channel between the base station and the SAS so that messages can be exchanged between the base station and the SAS, such as to allocate spectrum to the base station. Accordingly, the techniques can allow the base station in a secure, private network to communicate with the SAS on a public, unsecured network, without exposing the base station to unnecessary risks or to malicious traffic.

In some instances, control plane messages to and from base stations in a communication network (e.g., a 2G, 3G, 4G, and/or 5G network) can be exchanged via a private network that does not have direct access to a public network. In some examples, the private network can be completely isolated from other networks, such that a communication cannot be directly transmitted to devices outside the private network. In some instances, communications via the private network can be addressed using private Internet Protocol (IP) addresses. In some examples, the private network can include a network device (e.g., a domain proxy device) that can receive communications associated with the SAS from the base stations and/or function as an intermediary device between the base stations and the network proxy device bridging the gap between the private network and a second network. In some examples, the domain proxy device can include locally provisioned entries resolving fully qualified domain names (FQDN) associated with a SAS into a private IP address (e.g., associated with one or more network devices (e.g., the network proxy device) for bridging the private network and another network.

In some instances, when initiating a communication with a SAS, a base station can send an address request to a name server (such as a domain name sever (DNS) server). In some instances, the address request can include a fully qualified domain name (FQDN) associated with the SAS. In some instances, the base station can receive an address response from the name server including a first IP address associated with the network proxy device. The base station can address a message or first communication to the network proxy device using the first IP address, whereby the first communication can be received by the network proxy device. In some examples, the first IP address can be a private IP address.

The network proxy device can be communicatively coupled with the private network and a backhaul network. In some instances, the network proxy device can receive a first communication (e.g., which may or may not have been transmitted by a domain proxy device as an intermediary between the base station and the network proxy device). The network proxy device can terminate the first communication and can initiate a new communication on behalf of the base station (or on behalf of the domain proxy device). In some instances, the network proxy device can receive the first communication as a layer 4 communication (e.g., the fourth layer of the Open Systems Interconnection (OSI) model) and can initiate the new communication as another layer 4 communication via a second network. In some instances, the new communication can be received by a firewall device whereby network address translation can be performed such that the communication can be address to a SAS device accessible via a public network, such as the internet. In response, the SAS device, the network proxy device, the intermediary network device, and/or the base station can initiate an encrypted communication (e.g., via a session layer and/or an application layer (e.g., layers 5 and 7, respectively) (also referred to as an encrypted tunnel) to facilitate communication between the base station and the SAS device.

In some instances, the SAS device may whitelist the address of a client, which may correspond to the public IP address assigned to the firewall that may perform network address translation services to one or more communications, as discussed herein.

In some instances, communications by and between a base station and the SAS can include a registration request (e.g., the base station registers with the SAS as a base station capable of utilizing CBRS resources), a spectrum inquiry (e.g., the base station can inquire about CBRS resources, such as available spectrum in a particular location), a grant request (e.g., the base station can request a portion of CBRS spectrum to be allocated to the base station), a grant release (e.g., the base station can release a portion of CBRS spectrum allocated to the base station), a heartbeat request (e.g., the base station can regularly ping or message the SAS to determine that spectrum is still being used and/or whether spectrum is to be released, and vice versa), and the like.

Although discussed in the context of base stations sending and receiving messages to and from a SAS associated with the CBRS spectrum, the techniques discussed herein are not limited to communications associated with base stations and/or communications associated with the CBRS spectrum. For example, the techniques discussed herein can be used to update software or configurations at a base station or a network device, to receive network statistics aggregated by a base station, to provide secure access to devices on a secure network, and the like.

For example, the techniques discussed herein can be used to facilitate communications between devices residing on any private network (e.g., a completely isolated network) and other devices residing on a public network, such as the internet.

In another example, the techniques discussed herein can be used to update any information residing on or stored in a private, isolated network that needs to be updated by a source on a public network or other private network.

The systems, devices, and techniques described herein can improve a functioning of a network by facilitating communications between secure devices on a first network and unsecured devices on a second network. In particular, the systems, devices, and techniques described herein can improve security of a network by isolating communications between secure devices on a first network and unsecured devices on a public network or another private network. Further, the techniques discussed herein allow network scaling such that an address of a SAS (or of a general network device) can be changed or maintained at a central location regardless of any number of base stations that communicate with the SAS. Further, the techniques discussed herein allow base stations to secure additional spectrum that can increase bandwidth and/or reduce congestion in a network. Communications by and between base station(s) can be restricted to a secure network, whereby traffic exiting and entering the secure network from other networks can be expressly controlled to limit exposure to viruses or other malicious traffic. These and other improvements to the functioning of a computer and network are discussed herein.

FIG. 1 illustrates an example environment 100 including network devices performing proxy based network access to facilitate the use of the Citizens Broadband Radio Service (CBRS) spectrum, as described herein.

The environment 100 can include base stations 102(1), 102(2), and 102(3), which may be referred to generally as a base station 102 or the base stations 102. Although the environment 100 illustrates three base stations 102, it can be understood that the environment 100 can include any number of base stations 102.

The base stations 102 may communicate signaling messages such as control plane messages via a network 104. In some instances, the network 104 may represent a private secure network without direct access to a public network such as the internet. For example, the network 104 can be completely isolated from other networks. In some instances, devices in communication with the network 104 or residing within the network 104 may use private IP addresses to address communications. In some instances, the network 104 can facilitate handoffs and/or handovers by and between user equipments (UEs) (not shown) in communication with the base stations 102.

In some instances, the base stations 102 can be configured to wirelessly communicate via one or more access technologies, including but not limited to a Second Generation (2G) access technology, a Third Generation (3G) access technology, a Fourth Generation (4G) access technology, a 4G Long-Term Evolution (LTE) access technology, a Fifth Generation (5G) access technology, a Citizens Broadband Radio Service (CBRS) access technology, and the like. In some instances, environment 100 may represent any dual access or multi-access connectivity environment (e.g., including 4G and 5G base stations for dual connectivity).

In some examples, a network device 118 can be located in the network 104 to aggregate, receive, and/or send communications between the base stations 102 and one or more SAS devices, discussed below. In some examples, the network device 118 (also referred to as a domain proxy device 118) can perform network address translation for messages transmitted via the network 104. In some examples, the network device 118 can receive a message from a base station 102 (whereby the message is addressed to a FQDN associated with the SAS 116) and can translate the message to a network address associated with the network device 108. In some instances, the network device 118 can communicate with a name server or DNS server to translate a network address as applicable.

In some instances, the environment 100 can further include arrangements 106(1) and 106(2). In some instances, the arrangements 106(1) and 106(2) may be referred to generally as an arrangement 106 or as the arrangements 106. Although the environment 100 illustrates two arrangements 106, it can be understood that the environment 100 can include any number of arrangements 106.

In some instances, the arrangements 106(1) and 106(2) may represent substantially similar combinations of network devices to provide redundant services to disparate geographic areas. In some instances, the arrangement 106(1) can include a network device 108(1) (also referred to as a network proxy device 108(1)), a network 110(1), and a network device 112(1). Further, the arrangement 106(2) can include a network device 108(2) (also referred to as a network proxy device 108(2)), a network 110(2), and a network device 112(2). In some examples, the network device 108(1) and 108(2) can include substantially the same functionality. In some examples, the networks 110(1) and 110(2) can include substantially the same functionality. And in some examples, the network device 112(1) and 112(2) can include substantially the same functionality.

Although the environment 100 illustrates the arrangements 106 as including the network device 108, the network 110, and the network 112, the arrangements 106 can include more or fewer devices and components than are illustrated herein.

The arrangements 106(1) and 106(2) can be communicatively coupled with a network 114, which may represent the internet.

Further, the environment 100 can include spectrum access systems 116(1), 116(2), and 116(3). In some cases, the spectrum access systems can be referred to generally as a spectrum access system 116 (or a “SAS 116”) or the spectrum access systems 116. Although the environment 100 illustrates three spectrum access systems 116, it can be understood that the environment 100 can include any number of spectrum access systems 116.

In some examples, the network device 108(1) can function as a load balancer, proxy device, switch, router, and/or network address translator to distribute messages to and from the base stations 102 (or from the network device 118) and other devices on the network 110(1). In some examples, the network device 108(1) can function as a proxy server for the base stations 102 and the devices in the arrangement 106(1). In some instances, the network device 108(1) can receive network communications from a base station 102 (or from the network device 118) as a layer 4 communication. The network device 108(1) can terminate the message and can initiate a second message as a layer 4 communication addressed to the SAS 116. In some instances, the network device 108(1) can determine an address associated with the network communications. In some instances, the network device 108(1) can translate a first address associated with the network 104 to a second address associated with the network 110(1). In some instances, the network device 108(1) can access a name server or DNS server for such a network address translation or may use a locally cached address, if available. In some instances, the network device 108(1) can maintain a network address forwarding table listing corresponding IP addresses and/or corresponding IP addresses and port combinations.

In some examples, the network device 108(1) and 108(2) can share a same IP address, such that a message or communication from the base station 102(1) (or from the network device 118) addressed to the network device 108(1) can be received by the network device 108(2) by virtue of the network device 108(2) being associated with the same address. If the network device 108(2) receives a communication prior to the network device 108(1), the network device 108(2) will forward a message and/or respond instead of the network device 108(1). That is, a network device of the network devices 108 that receives a message first will be considered to be closer and/or have lower latency and will be designated as a serving network device for the purposes of a communication.

In some instances, the addressing method of the network devices 108 can represent a one-to-many association (e.g., “Anycast”) where datagrams or messages are routed to any single member of a group of potential receives that are identified by a same destination address, such that a network device representing a lowest cost (based on a metric such as latency, congestion, available bandwidth, and the like) may be determined or selected as the receiver.

In some examples, the network devices 108 can be associated with unique IP addresses. In some examples, the network devices 108 can implement a unicast (one-to-one) protocol, a broadcast (one-to-all), a multicast (one-to-many-of many or many-to-many-of-many), anycast (one-to-one-of-many), geocast (delivery based on geographic locations), and the like.

In some examples, the network 110(1) can represent a backhaul network. In some examples, the network 110(1) can represent a private network with limited access to the network 114 via the network device 112(1).

In some examples, the network 112(1) may represent a firewall that provides controlled (e.g., limited) access into and out of the network 110(1). For example, the network device 112(1) may include a list of network addresses where communications are permitted and/or a list of network addresses where communications are not permitted.

FIG. 2 illustrates an environment 200 including a user equipment communicating with a base station and paths of signaling data and user data in the example environment, as described herein.

In some examples, any of the components and/or techniques discussed in connection with the environment 100 can be included in the environment 200, and vice versa.

In some examples, a user equipment (UE) 202 can be connected to the base station 102 via a connection 204 for sending and/or receiving data. The terms “user equipment (UE),” “user device,” “wireless communication device,” “wireless device,” “communication device,” “mobile device,” and “client device,” can be used interchangeably to describe any UE (e.g., the UE 202) that is capable of transmitting/receiving data wirelessly using any suitable wireless communications/data technology, protocol, or standard, such as Global System for Mobile communications (GSM), Time Division Multiple Access (TDMA), Universal Mobile Telecommunications System (UMTS), Evolution-Data Optimized (EVDO), Long Term Evolution (LTE), Advanced LTE (LTE+), New Radio (NR), Generic Access Network (GAN), Unlicensed Mobile Access (UMA), Code Division Multiple Access (CDMA), Orthogonal Frequency Division Multiple Access (OFDM), General Packet Radio Service (GPRS), Enhanced Data GSM Environment (EDGE), Advanced Mobile Phone System (AMPS), High Speed Packet Access (HSPA), evolved HSPA (HSPA+), Voice over IP (VoIP), VoLTE, Institute of Electrical and Electronics Engineers' (IEEE) 802.1x protocols, WiMAX, Wi-Fi, Data Over Cable Service Interface Specification (DOCSIS), digital subscriber line (DSL), CBRS, and/or any future Internet Protocol (IP)-based network technology or evolution of an existing IP-based network technology.

Examples of UEs (e.g., the UE 202) can include, but are not limited to, smart phones, mobile phones, cell phones, tablet computers, portable computers, laptop computers, personal digital assistants (PDAs), electronic book devices, or any other portable electronic devices that can generate, request, receive, transmit, or exchange voice, video, and/or digital data over a network. Additional examples of UEs include, but are not limited to, smart devices such as televisions, refrigerators, washing machines, dryers, smart mirrors, coffee machines, lights, lamps, temperature sensors, leak sensors, water sensors, electricity meters, parking sensors, music players, headphones, or any other electronic appliances that can generate, request, receive, transmit, or exchange voice, video, and/or digital data over a network.

The UE 202 may be capable of supporting 4G radio communications, such as LTE radio communications, and 5G radio communications, such as New Radio (NR) communications. In some examples, the UE 202 may be configured to support at least one of enhanced Mobile Broadband (eMBB) communications, Ultra Reliable Low Latency Communications (URLLCs), or massive Machine Type Communications (mMTCs). In some instances, the one or more devices can include at least one device supporting one or more of a sensor network, voice services, smart city cameras, gigabytes-in-a-second communications, 3D video, 4K screens, work & play in the cloud, augmented reality, industrial and/or vehicular automation, mission critical broadband, or self-driving cars.

The environment 200 can include a network 206 for conveying data plane communications between the base station 102 and a core network 208. In some cases, the core network 208 can include a 4G core network and/or a 5G core network. In some cases, the core network 208 may be communicatively coupled with the arrangement 106 and/or the network 114, although additional configurations are contemplated herein. For example, the environment 200 may be implemented in accordance with any one of Option 3, 3a, 3x, 4, 4a, 7, 7a, and/or 7x, as defined by 3GPP. That is, the environment 200 may include a 4G core and/or a 5G core and/or may include additional data-plane or control-plane signaling.

In the case where the core network 208 includes a 4G core network, the core network 208 may include an Evolved Packet Core (EPC). In some cases, the core network 208 may include any of a Mobility Management Entity (MME), a Serving Gateway (SGW), a Packet Data Network (PDN) Gateway (PGW), a Home Subscriber Server (HSS), an Access Network Discovery and Selection Function (ANDSF), an evolved Packet Data Gateway (ePDG), a Data Network (DN), and the like.

In the case where the core network 208 includes a 5G core network, the core network 208 may include any of an Access and Mobility Management Function (AMF), a Session Management Function (SMF), a Policy Control Function (PCF), an Application Function (AF), an Authentication Server Function (AUSF), a Network Slice Selection Function (NSSF), a Unified Data Management (UDM), a Network Exposure Function (NEF), a Network Repository Function (NRF), a User Plane Function (UPF), a DN and the like.

In some examples, the network 206 and the network 104 are illustrated as separate networks, and in some examples, the network 206 and the network 104 can represent a same network.

In some examples, the core network 208 can comprise some or all of the arrangement 106, and in some examples, the arrangement 106 can comprise some or all of the core network 208.

Data plane communications between the base station 102 and the core network 208 can be represented via a path 210.

Control plane communications between the base station 102 and the network 104 can be represented via the path 212.

The environment 200 can include the network device 118 such that communications associated with the SAS can be received by the network device 118. Although not illustrated in FIG. 2, the environment 200 can include any number of base stations (e.g., tens, hundreds, thousands, etc.) such that the network device 118 aggregates SAS-associated communications for substantially all of the base station. In some instances, the network device 118 can receive a communication from the base station 102 addressed to the SAS 116 and can access a locally stored IP address to redirect the communication to the network device 108.

In some examples, the environment 200 can include a name server 214 coupled with and/or accessible to the network 104 and a name server 216 coupled to and/or accessible to the arrangement 106. In some examples, the name server 214 may represent a domain name server (DNS) serving the network 104. In some examples, the name server 216 may represent a domain name server (DNS) serving the network 110 of the arrangement 106.

In some examples, the environment 200 can include additional control-plane communication channels and/or data-plane communication channels, in addition to or instead of those illustrated in FIG. 2. Wired or wireless communications between the UE 202 and the base station 102 are shown as lightning bolt symbols. Further, control plane and/or data plane communications may be transmitted and/or received via any wired or wireless transmission paths.

As noted above, control plane messages to and from base stations 102 associated with a communication network (e.g., a 2G, 3G, 4G, and/or 5G network) can be exchanged via the path 212 to the network 104. In some instances, the network 104 may be isolated from other private or public networks, such as the internet). In some instances, communications via the network 104 can be received by the network device 108 of the arrangement 106 as a layer 4 communication and can initiate a new communication via the network 110 as a new layer 4 communication.

In some instances, when initiating a communication to the SAS 116(1), 116(2), or 116(3), the base station 102(1) can send a message to the network device 118, whereby the network device 118 can forward the message to the network device 108.

In some instances, the base station 102 (or the network device 118) can send an address request to the name server 214. In some instances, the address request can include a fully qualified domain name (FQDN) associated with the SAS 116(1), 116(2), or 116(3). In some instances, the base station 102 can receive an address response from the name server 214 including a first IP address associated with the SAS 116(1), 116(2), or 116(3). At least partially in response to receiving the address response from the name server 214, the base station 102 (or the network device 118) can address a message or first communication to the network device 108 in the arrangement 106. The network device 108 can be communicatively coupled with the secure network (e.g., the network 104) and a backhaul network (e.g., the network 110). The network device 108 can include an access control list that can control access to and from the network 104.

At least partially in response to receiving the first communication at the network device 108, the network device 108 can send a new communication addressed to the SAS 116 as a layer 4 communication.

In some examples, the network device 108 can send an address request to the name server 216, whereby the address request can include the first IP address associated with the SAS 116, and in response, the network device 108 can receive an address response from the name server 216, whereby the address response can include a second IP address (which may be a public IP address associated with the SAS 116 on the network 114). The network device 108 can send a new message to the SAS 116 using the second IP address.

In some instances, the network device 108 can implement or utilize a three-way handshake procedure with the SAS 116 and in response, can open an encrypted tunnel between the base station 102 (or the network device 118) and the SAS 116 (e.g., via an encrypted session layer and/or application layer).

FIG. 3 is a diagram 300 illustrating example signaling for using the proxy based network access techniques for CBRS spectrum management, as described herein. As can be understood, signals are illustrated by and between various components, with relative timing indicated by a vertical location of signals in the diagram.

In some instances, operations represented in the diagram 300 can be performed by one or more of the base stations 102, the network device 118, the network device 108, the network device 112, and the SAS 116.

In some instances, the base station 102 (also referred to as a BS 102) can include functionality to utilize one or more CBRS resources. However, the base 102 can exchange a variety of communications (discussed throughout this disclosure) in connection with utilizing such CBRS resources.

In some instances, the base station 102 can send a registration request 302 to the network device 118 to register the base station 102 with the SAS 116. In some examples, the registration request 302 can include a domain name (e.g., a fully qualified domain name (FQDN)) associated with a particular service provider associated with a SAS 116. In some examples, the network device 118 may not be present in the network 104, in which case the base station 102 can send the message directly to the network device 108. In some examples, the base station 102 can transmit an address request to a name server to determine a location associated with the network device 118 and/or 108.

At least partially in response to the registration request 302, the network device 118 can translate an address associated with the registration request 302 into an address associated with the network device 108. In some examples, the network device 118 can store an IP address associated with the network device 108, and in some instances, the network device 118 can communicate with a name server or DNS server to determine an address associated with the network device 108 (or to determine an alias associated with another destination).

The network device 118 can transmit a registration request 304 to the network device 108 in response to the registration request 302.

The network device 108 can receive the registration request 304 as a layer 4 communication from the network device 118 (or the base station 102) and can initiate a new communication as a registration request 306 to the network device 112. In some examples, the network device 108 can terminate the session or communication associated with the registration request 304. In some instances, the network device 108 can function as a proxy server to initiate the registration request 306 in response to the registration request 304. In some examples, the network device 108 can access a name server or DNS server to determine an address associated with the network device 112 or the SAS 116, or can determine an alias associated with another name server or DNS server

The network device 112 can receive the registration request 306 and can forward the registration request 306 to the SAS 116 as a registration request 308. In some examples, the network device 112 can include a firewall or access list that verifies that an address associated with the registration request 306 is allowed to exit the network 110. In some examples, the network device 112 can perform a network address translation to translate an address between the registration request 306 and the registration request 308 (e.g., the registration request 306 may be associated with a private IP address associated with the network 110 while the registration request 308 can be associated with a public IP address associated with the network 114). In some examples, an address associated with the registration request 306 and the registration request 306 can be the same.

The SAS 116 can receive the registration request 308, which may be associated with a three-way handshake, for example. The SAS 116 can transmit a registration response 310 to the base station 102 (e.g., via the network device 118) to indicate that the base station 102 is registered with the SAS 116.

The network device 108 can open a tunnel 312 between the network device 118 and the SAS 116. In some instances, the tunnel 312 can represent an encrypted session layer and/or application layer tunnel. In some examples, the network device 108 can open a tunnel between the base station 102 and the SAS 116, represented as a tunnel 314. In some examples, the tunnels 312 and/or 314 can be implemented at least partially in response to the registration response 310 being received by the network device 118 and/or by the base station 102.

In some examples, the SAS 116 can implement a three-way handshake with the network device 108 before receiving the registration request 308 via a tunnel established between the base station 102 and the SAS 116.

In accordance with examples discussed herein, diagram 300 can represent proxy based network access and/or multiple network address translations to send and receive messages by and between a base station 102 and a SAS 116. Thus, the signaling can provide a flexible framework while maintaining a high level of security and without exposing sensitive devices to a public network.

Although discussed in the context of a registration request and a registration response, the signaling can be used on any messages by and between devices spanning multiple networks (e.g., private and/or public networks).

In some examples, the base station 102 (and/or the network device 118) can send a spectrum inquiry and can receive a spectrum response (represented as a spectrum inquiry/response 316). In some examples, a spectrum inquiry can represent a request for information about whether an incumbent is in an area associated with the base station 102 and/or whether and/or an amount of bandwidth in the CBRS band is available. A spectrum response can include information about the presence of incumbents in an area, information associated with available bandwidth, and the like.

In some examples, the spectrum inquiry/response 316 can include signaling similar to or a same as the signaling used to convey the registration request 302 from the base station 102 to the SAS 116 and to receive the registration response 310.

In some examples, the base station 102 (and/or the network device 118) can send a grant request and can receive a grant response (represented as a grant request/response 318). In some examples, a grant request can represent a request for CBRS resources (e.g., a portion of CBRS spectrum for the base station 102 to use). A grant response can include permission to use such CBRS resources, and the like.

In some examples, the grant request/response 318 can include signaling similar to or a same as the signaling used to convey the registration request 302 from the base station 102 to the SAS 116 and to receive the registration response 310.

In some examples, the base station 102 (and/or the network device 118) can send a grant release and can receive a release response (represented as a grant release/response 320). In some examples, a grant release can indicate to the SAS 116 that the base station is releasing (not using) CBRS resources allocated to the base station 102. A release response can confirm that the SAS 116 has received the grant release, and the like.

In some examples, the grant release/response 320 can include signaling similar to or a same as the signaling used to convey the registration request 302 from the base station 102 to the SAS 116 and to receive the registration response 310.

In some examples, the base station 102, the network device 118, and/or the network device 108 can send a heartbeat request and can receive a heartbeat response (represented as a heartbeat request/response 322). In some examples, the heartbeat request and response can indicate a normal operation of the base station 102 (and/or the network device 118 and/or 108) and the SAS 116. In some instances, if the SAS 116 does not receive the heartbeat request within a predetermined time period, the SAS 116 may determine the base station 102 (or some portion of the environment 100 or 200) is experiencing an error. Similarly, if the base station 102 does not receive a heartbeat response within a predetermined time period the base station 102 may determine that the SAS 116 (or some portion of the environment 100 or 200) is experiencing an error. In some cases, if the base station 102 does not receive a heartbeat response the base station 102 may release some of all of the CBRS resources allocated to the base station 102. In some cases, if the network device 108(1) does not receive a heartbeat from the SAS 116, communication addressed to the network device 108 (e.g., as an anycast) can be routed to the network device 108(2).

In some examples, the heartbeat request/response 322 can include signaling similar to or a same as the signaling used to convey the registration request 302 from the base station 102 to the SAS 116 and to receive the registration response 310.

In some examples, the spectrum inquiry/response 316, the grant request/response 318, the grant release/response 320, and/or the heartbeat request/response 322 can be exchanged via the tunnels 312 and/or 312.

FIG. 4 illustrates an example computing device 400 to implement the network communications, as described herein. In some embodiments, the computing device 400 can correspond to the base station(s) 102, the network device(s) 108, and/or the network device(s) 110 of FIG. 1. It is to be understood in the context of this disclosure that the computing device 400 can be implemented as a single device or as a plurality of devices with components and data distributed among them.

As illustrated, the computing device 400 comprises a memory 402 storing an access list component 404, a network address translation component 406, and a network proxy component 420. Also, the computing device 400 includes processor(s) 408, a removable storage 410 and non-removable storage 412, input device(s) 414, output device(s) 416, and transceiver(s) 418.

In various embodiments, the memory 402 is volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or some combination of the two. The access list component 404, the network address translation component 406, and the network proxy component 420 stored in the memory 402 can comprise methods, threads, processes, applications or any other sort of executable instructions. The access list component 404, the network address translation component 406, and the network proxy component 420 can also include files and databases.

The access list component 404 can include functionality to control access to various portions of a network. For example, the access list component 404 can include one or more addresses where communications are allowed to be received from and/or transmitted to (e.g., an authorized list or authorized devices). In some examples, the access list component 404 can include one or more addressees where communications are not allowed to be received from and/or transmitted to (e.g., a non-authorized list). In some instances, the access list component 404 can discriminate based on message type (e.g., communications associated with CBRS resources may be permitted to be transmitted), and the like.

The network address translation component 406 can include functionality to translate one or more addresses for network communications. For example, the network address translation (NAT) component 406 can query one or more name servers to determine corresponding addresses. Further the NAT component 406 can remove an address from a packet or other information (e.g., a first address) and can replace the address with another address to a next destination (e.g., a second address). In general, the NAT component 406 can map or remap one IP address space to another IP address space (e.g., a source address and/or a destination address) by modifying network address information in a header of packets while they are in a routing device. In some instances, the NAT component 406 can convert addresses from a private IP address to a public IP address, and vice versa. In some instances, the NAT component 406 can convert a first private IP address to a second private IP address and/or can convert a first public IP address to a second public IP address.

The network proxy component 420 can include functionality to receive a first communication and to transmit a second communication in response to the first communication. For example, the network proxy component 420 can receive, as a layer 4 communication, a first message from a base station or a network device (e.g., a domain proxy device) and can generate a second message addressed to a firewall or a SAS device in response to the first message.

In some embodiments, the processor(s) 408 is a central processing unit (CPU), a graphics processing unit (GPU), or both CPU and GPU, or other processing unit or component known in the art.

The computing device 400 also includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, and the like. Such additional storage is illustrated in FIG. 4 by removable storage 410 and non-removable storage 412. Tangible computer-readable media can include volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. The memory 402, the removable storage 410 and the non-removable storage 412 are all examples of computer-readable storage media. Computer-readable storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile discs (DVD), content-addressable memory (CAM), or other optical storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computing device 400. Any such tangible computer-readable media can be part of the computing device 400.

The computing device 400 may be configured to communicate over a telecommunications network using any common wireless and/or wired network access technology, such as fiber optic links. Moreover, the computing device 400 may be configured to run any compatible device operating system (OS), including but not limited to, Microsoft Windows Mobile, Google Android, Apple iOS, Linux Mobile, as well as any other common mobile device OS.

The computing device 400 also can include input device(s) 414, such as a keypad, a cursor control, a touch-sensitive display, voice input device, etc., and output device(s) 416 such as a display, speakers, printers, etc. These devices are well known in the art and need not be discussed at length here.

As illustrated in FIG. 4, the computing device 400 also includes one or more wired or wireless transceiver(s) 418. For example, the transceiver(s) 418 can include a network interface card (NIC), a network adapter, a LAN adapter, or a physical, virtual, or logical address to connect to various networks, devices, or components illustrated in the environment 100, for example. To increase throughput when exchanging wireless data, the transceiver(s) 418 can utilize multiple-input/multiple-output (MIMO) technology. The transceiver(s) 418 can comprise any sort of wireless transceivers capable of engaging in wireless, radio frequency (RF) communication. The transceiver(s) 418 can also include other wireless modems, such as a modem for engaging in Wi-Fi, WiMAX, Bluetooth, infrared communication, and the like.

FIG. 5 illustrates an example process in accordance with embodiments of the disclosure. This process is illustrated as a logical flow graph, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof. In the context of software, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the process.

FIG. 5 illustrates an example process 500 for secure network communications for CBRS spectrum management, as described herein. The example process 500 can be performed by the computing device 400, in connection with other components and/or devices discussed herein. Some or all of the process 500 can be performed by one or more devices or components in the environment 100 or the environment 200, for example.

At operation 502, the process can include receiving, at a network proxy device, a first communication from at least one of a base station or a domain proxy device, the first communication received via a first network and comprising a message associated with a Citizens Broadband Radio Service (CBRS) Spectrum Access System (SAS). For example, the network device 110 or the network device 112 can receive a first communication from the base station 102 or the network device 118. In some examples, the first communication can be associated with management of one or more CBRS resources. For example, the first communication can include, but is not limited to, a registration request, a spectrum inquiry, a grant request, a grant release, a heartbeat request, and the like. In some instances, the first communication may not be associated with a CBRS resource. For example, the first communication may include a request for a software update, for an updated configuration file, etc. In some examples, the first communication can be received from any computing device on a private network and is not limited to a base station or a domain proxy device, and the first communication is not limited to one associated with a CBRS resource. For example, a computing device can be associated with an intrusion detection system (IDS) or an intrusion prevention system (IPS) database.

At operation 504, the process can include terminating a first connection associated with the first communication. In some examples, the first communication can be associated with a layer 4 communication.

At operation 506, the process can include sending a second communication to the SAS via a second network, the second communication addressed to the public IP address associated with the SAS. For example, the second communication can be sent as a proxy initiated message in response to the first communication. In some examples, the operation 506 can include accessing a name server or a DNS server to determine an address associated with the SAS.

At operation 508, the process can include receiving, in response to the second communication, a third communication from the SAS. In some examples, the third communication can be addressed to the network device 108 that sent the second communication in the operation 506. In some examples, the third communication can be associated with a three-way handshake procedure (e.g., SYN, SYN/ACK, ACK). In some instances, the third communication can correspond to the second communication, and may include, but is not limited to, one or more of a registration response, an inquiry response, a grant response, a release response, a heartbeat response, and the like. In some instances, the third communication (e.g., a communication from a SAS 116 or from any network device or entity) can be received without being in response to an initiating message.

At operation 510, the process can include establishing, in response to the third communication, an encrypted session layer and/or application layer tunnel between the at least one of the base station or the domain proxy device and the SAS. In some instances, the session layer and/or the application layer tunnel may allow messages associated with CBRS resources to be exchanged between the base station/domain proxy device and the SAS device, as discussed herein.

CONCLUSION

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as exemplary forms of implementing the claims. 

What is claimed is:
 1. A system comprising: one or more processors; a memory; and one or more components stored in the memory and executable by the one or more processors to perform operations comprising: receiving, at a computing device, a first communication from a domain proxy device, the first communication received as a first control plane communication via a first network and comprising a message associated with a Citizens Broadband Radio Service (CBRS) Spectrum Access System (SAS); terminating a first connection associated with the first communication; sending a second communication to the SAS via a second network, the second communication addressed to a public IP address associated with the SAS; receiving, in response to the second communication, a third communication from the SAS; and establishing at least one of an encrypted application layer tunnel or an encrypted session layer tunnel between the domain proxy device and the SAS in response to the third communication.
 2. The system of claim 1, wherein the first communication comprises at least one of: a registration request associated with a CBRS resource; a spectrum inquiry associated with the CBRS resource; a grant request associated with the CBRS resource; or a grant release associated with the CBRS resource.
 3. The system of claim 1, wherein a fourth communication transmitted via the at least one of the encrypted application layer tunnel or the encrypted session layer tunnel comprises at least one of: a registration response associated with a CBRS resource; an inquiry response associated with the CBRS resource; a grant response associated with the CBRS resource; or a release response associated with the CBRS resource.
 4. The system of claim 1, wherein computing device includes an access list associated with authorized devices, the operations further comprising determining, based at least in part on the access list, that the domain proxy device is an authorized device.
 5. The system of claim 1, wherein the first communication is one of a plurality of first communications, wherein the plurality of first communications are addressed to a same address that corresponds to a plurality of computing devices.
 6. The system of claim 1, wherein the first network is a private network without direct access to a public network.
 7. The system of claim 1, wherein the second network is a private network with access to a public network, wherein the access is controlled based at least in part on a firewall.
 8. A processor-implemented method comprising: receiving, at a network proxy device, a first communication from a first computing device, the first communication received via a first network and addressed to the network proxy device; sending, in response to the first communication, a second communication to a second computing device associated with a second network receiving, in response to the second communication, a third communication from the second computing device; and establishing an encrypted tunnel between the first computing device and the second computing device in response to the third communication, wherein the first computing device comprises at least one of a base station or a domain proxy device.
 9. The processor-implemented method of claim 8, wherein the first communication comprises at least one of: a registration request associated with a Citizens Broadband Radio Service (CBRS) resource; a spectrum inquiry associated with the CBRS resource; a grant request associated with the CBRS resource; or a grant release associated with the CBRS resource.
 10. The processor-implemented method of claim 8, wherein the third communication is associated with a three-way handshake procedure.
 11. The processor-implemented method of claim 8, wherein the second computing device comprises at least one of a firewall or a Citizens Broadband Radio Service (CBRS) Spectrum Access System (SAS).
 12. The processor-implemented method of claim 8, wherein the first network is a private network without direct access to a public network.
 13. The processor-implemented method of claim 8, wherein the second network is a private network with access to a public network, the access controlled based at least in part by a firewall.
 14. A non-transitory computer-readable medium storing instructions that, when executed, cause one or more processors to perform operations comprising: receiving a first communication from at least one of a base station or a domain proxy device, the first communication received via a first network and comprising a message associated with a Citizens Broadband Radio Service (CBRS) Spectrum Access System (SAS); terminating a first connection associated with the first communication; sending, based at least in part on the first communication, a second communication to the SAS via a second network, the second communication addressed to a public IP address associated with the SAS; receiving, in response to the second communication, a third communication from the SAS; and establishing an encrypted tunnel between the domain proxy device and the SAS in response to the third communication.
 15. The non-transitory computer-readable medium of claim 14, wherein the first communication comprises at least one of: a registration request associated with a CBRS resource; a spectrum inquiry associated with the CBRS resource; a grant request associated with the CBRS resource; or a grant release associated with the CBRS resource.
 16. The non-transitory computer-readable medium of claim 14, wherein a fourth communication transmitted via the encrypted tunnel comprises at least one of: a registration response associated with a CBRS resource; an inquiry response associated with the CBRS resource; a grant response associated with the CBRS resource; or a release response associated with the CBRS resource.
 17. The non-transitory computer-readable medium of claim 14, wherein the second communication is a proxy message in response to the first communication.
 18. The non-transitory computer-readable medium of claim 14, wherein the first network is a private network without layer 4 access to a public network.
 19. The non-transitory computer-readable medium of claim 14, wherein the second network is a private network with limited access to a public network. 